Hacker News new | past | comments | ask | show | jobs | submit login
Bluesky – Authenticated Data EXperiment (github.com/bluesky-social)
22 points by sarthakjshetty on May 5, 2022 | hide | past | favorite | 7 comments



Yo browsers already know & implement Signed Http Exchanges[1]. Just follow the spec we have. Once twitter or bluesky or whomever signs a message, it becomes in effect a cryptographically self identifying content addressable blob we can relay around as we please, is cryptographically signed.

Such a damned pity that so much zealous & righteous energy jn distributed & p2p is shunted into rejectionist, reactionary re-treading, that it rejects what is & expansion & enhancement & wanders off alone (into the far blue sky) to go try it's own hand at communing with god & finding a whole new approach. This is bluesky confirming that they too either dont see or dont care to work with the best most advanced prospects we have, that they d rather go back to 0 again. Disappointing, unsurprising, totslly in the mold of every hot taking reactionary would be do-it-all-over-again revolutionary, like like urbit.

I will try to see if there's anything here really novel & ennabling, but holy cow, http already does 92% of what's on the tin here, & we could turn it on for everything in months, with little challenge, if we cared to try.

[1] https://web.dev/signed-exchanges/


SXG is cool! But as far as I can tell, Chromium-only, and making HTTP exchanges the central artifact of a new Twitter-like communications-standard might bring in unwarranted overhead & assumptions.

In particular, some weaknesses of ActivityPub come from its foundational assumptions of an HTTP-server-centric model. Might SXG solve a few of those but retain others? Why should server certs (that expire within 90 days, no less!) be the trust roots of a new system, rather than individual users' cryptographic identities?

By placing a stake-in-the-ground with one investigational prototype (ADX), there's a baseline for a motivated individual who really thinks SXG can do the same or more, on a ready-made base, to demonstrate that with code rather than just exasperated HN comments.


With certificate transparency, I dont think SXG's expiration is a real barrier to broader use. The hardnosed shitty browser attitude around right now: it will collapse in the face of obvious utility, other people will implememt more aspirational & liberal systems. This stance is untennable in the face of the obvious huge value of being able to look at old signed content, particularly when coupled with certificate transparency systems. This conservative standard will is just a minimal & obvious agreeable starting place, something to appease the rejectionist low-caliber safari-alike attitudes, but adoption will give way to expansion, given the immense user value of signed content. I say this as a core core protester against these pathetic loserly expiration timeouts[1].

I get maybe not putting all your chips in SXG basket. I disagree with a bunch of the protest: this seems like a sensible, basic, obvious layered enhancement to the existing web. Safari & Mozia are (as is the mood today) being terrible shits as usual, the regressives.

Contrasting ADX versus SXG just feels so wild, because SXG is a small refinememt to a vast world spanning & complete ecosystem of technology that has already taken over the planet. It directly targets the one complaint you make: http-server centricity, & sets dynamite to that one old bad no-good base. And ADX is an standalone completely isolated alternate world, it's own reality. This tension, whether we need a baseline which is 100% new & novel & redefines the entire problem space on it's own terms, completely from scratch, or whether we can hack & improve & enhance what we have: I dont feel like there's any camp at all left to defend improvememt.

Ideally SXG would be used woth additional user-encryption. User subdomains, eith their own keys would be swell. Turning sites into sites of sites is what SXG really starts to permit. Layering in some .well-known to be more cryptographically portable with identities ks just another small enhancement, just more layering, albeit yet-more-idealism.

Tear it all down, start over... it's the mode. I agree, this debate needs more than HM comments. But this tension & conflict, this view of the world & how it evolves or revolts: it's been trying to make revutions & insist no bounds, nothing today can possibly be good enough for tomorrow. And two plus decades latter, it's made such tiny impact, is so niche.

I accept your snub, getting told im exasperated, but it's for a real reason, it's because these decades have failed to deliver & so few have willingly tried improving what is (Safari & Mozia being a quite vocal modern anchor keeling things in place, a modern astrpturfing shouting class against trying anything, especially). This effort does have the social capital to perhaps emerge & birth something new, but we could also just improve & greatly fix everything that ready is. With minor, layered, small, principled enhancements.

[1] https://github.com/WICG/webpackage/issues/597


How does SXG "set dynamite to" http-server-centricity? Aren't all resources still named via HTTP endpoints, thus also bringing in overhead of the domain-system & TLS-Certificate assumptions? It seems to enable path-indifference, not independence from HTTP-server assumptions.

How does certificate transparency resolve a dependence on short-lived certificates that makes perfect sense for Google's applications, but not necessary others? Will these unspec'd additions like "additional user encryption", "user subdomains", etc be easy to define & standardize – even if they don't meet Google's very-specific motivations that this power things like AMP?

Iv'e only skimmed the ADX materials so far, but that's enough to see it's not a "standalone completely isolated alternate world" – reusing many standards deployed elsewhere (which another commenter has pointed out are often older than SXG), and devising conventions that even an SXG-centric solution would... still need to devise.


SGX is just some document that a Google employee authored and didn't build consensus enough to standardize (e.g. Firefox/Safari don't support it). It's now an expired ietf draft that appears superceded by a different thing. It's also newer than nearly all the technologies used by OP link.

> Such a damned pity that so much zealous & righteous energy ... shunted

You're projecting


It got renamed in the latest draft. Not sure why it's not at IETF, that sucks, but same stuff. https://wicg.github.io/webpackage/draft-yasskin-httpbis-orig...

> You're projecting

Cheap, mean, and vacuous. Trifecta of cruel callousness. What do you know? These are just words posted here but I see myself as trying very much to engage here, to work with what is about & layer enhancement. Sure Im zealous & rigtheous a bit too, but my value call: that too many have a refusenik tear it all down/reject everything/start again destructiveness? That that shunts real progress? That assessment, that hypothesis is not projection. If you want to make a case & not just throw bombs, I'd love the chance for self assessment, but this is just poison right now & low.


What’s the difference between this and SOLID?




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: